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REMARKS 

No claims are added, cancelled, or amended. Hence, Claims 1-40 are pending in the 
application. 

I. SUMMARY OF THE REJECTIONS 

Claims 1-5 and 21-25 stand rejected under 35 U.S.C. § 103(a) as allegedly being 
unpatentable over U.S. Patent Publication No. 2002/0143735 to Ayi et al. ("Ayi") in view of 
U.S. Patent No. 5,787,428 issued to Hart ("Hart"). This rejection is respectfully traversed. 

Claims 6-20 and 26-40 stand rejected under 35 U.S.C. § 103(a) as allegedly being 
unpatentable over U.S. Patent No. 5,859,966 issued to Hayman et al. ("Hayman") in view of 
Ayi. This rejection is respectfully traversed. 

H. THE REJECTIONS BASED ON THE CITED ART 
A. CLAIMS 1-5 AND 21-25 

Claims 1-5 and 21-25 stand rejected under 35 U.S.C. § 103(a) as allegedly being 
unpatentable over Ayi in view of Hart. It is the Office Action's position that the evidence 
submitted is insufficient to establish a reduction to practice of the invention according to 
Claims 1-5 and 21-25 prior to the effective date of Ayi (page 2). The Office Action contends 
that the subject declaration amounts to a general allegation and that a statement of the facts 
demonstrating the correctness of the declaration by the inventors to the effect that the invention 
was reduced to practice prior to the effective date of Ayi (page 2). It is respectfully submitted 
that this is incorrect. 

The Office Action quoted MPEP § 715.02, which states: "If the affidavit contains facts 
showing a completion of the invention commensurate with the extent of the invention as 
claimed is shown in the reference or activity, the affidavit or declaration is sufficient" (same 
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emphasis as in Office Action). The present declaration satisfies this criteria, i.e., the declaration 
contains facts showing a completion of the invention commensurate with the extent of the 
invention as claimed. For example, the declaration states: 

3. We conceived and reduced to practice an implementation of claims 1 

- 5 and 21 - 25 before the effective filing date of Ayi. 

4. We participated on a team that developed the implementation of claims 1 

- 5 and 21 - 25 that is incorporated into an Oracle™ database server 
product. After the design phase of the development, successful tests 
were run to show that the implementation worked according to 
claims 1-5 and 21-25. These tests, which were conducted using 
standard internal test processes and procedures, were completed before 
the effective filing date of Ayi and were carried out in this country. 

(emphasis added) 

Therefore, the declaration is sufficient . 

On pages 3-4, the Office Action stated patent office policy for actual reductions to 
practice under 37 CFR § 1.131, which office policy apparently states: 

a. Testing is required unless operativeness of invention is readily apparent. 

b. Testing, if required, must be under actual working conditions or realistic 
simulation of working conditions. 

c. Test results must be repeatable. 

In support of this policy, the Office Action cited MPEP § 2138.05. However, MPEP § 2138.05 
pertains to interference practice and 37 CFR 1.131 does not apply in interference proceedings 
(see MPEP 2138.01(01)). Neither the CFR nor the MPEP require testing in a Rule 131 
declaration. Nevertheless, the inventors stated, in the declaration that "successful tests were 
run to show that the implementation worked according to claims 1-5 and 21 - 25" (K 4; 
emphasis added). Furthermore, software tests are clearly repeatable. If K 4 of the declaration 
was considered by the Examiner, then it is appears from this appeal for testing of the invention 
that the Examiner might want to personally witness tests being run. However, there is no such 
requirement. Instead, MPEP § 715.07(1) requires examiners to " consider all of the evidence 
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presented in its entirety, including the... declarations" (emphasis added). Thus, because the 
declaration is evidence of a reduction to practice of the invention, the declaration must be 
considered. 

Finally, the Office Action stated that "the examiner cannot determine whether or not the 
reduced to practice invention is commensurate with the claims without the nexus between the 
claim and the Exhibit. As a result, the Examiner has no basis to approve the affidavit" 

(emphasis in Office Action). It is respectfully submitted that the Examiner has ample basis to 
approve the declaration. 

First, the statements by the inventors in the subject declaration are not hollow assertions. 
Rather, they are specific statements of fact . (Again see MPEP § 715.07(1) which states that 
evidence includes the declaration.) As such, the statements are considered evidence, each of 
which cannot be ignored. 

Second, the courts have stated that " the PTO is required to accept Rule 131 Affidavits at 
face value , and without investigation " (see, e.g., Herman v. Williams Brooks Shoe Co., 39 
USPQ2d 1773, 1777 (S.D. N.Y. 1996); see also Chisumon Patents § 3.08[l][a] (2005); 
emphasis added). Based on the specific evidence provided in the declaration, the inventors 
have satisfied their burden to prove that a working implementation of the invention according 
to Claims 1-5 and 21-25 existed prior to the effective filing date of Ayi. 

Third, MPEP § 715.07 states, "An accompanying exhibit need not support all 
claimed limitations, provided that any missing limitation is supported by the declaration 
itself." Indeed, exhibits are not even required by 37 CFR § 1.131(b) or the MPEP. Exhibits A- 
D are either test script files or test script log files that show results of running the corresponding 
test script. The exhibits do not provide the actual code. However, neither the CFR nor the 
MPEP require code to be submitted in an exhibit, nor do the CFR and MPEP require a 
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declaration to state word-for-word each claim limitation. To require a declaration to state 
word-for-word each claim limitation would be mere form over substance since Applicants may 
simply recite each claim limitation and state that such claim limitation was implemented before 
a certain date. Nevertheless, the inventors have done effectively as much when referring (1) 
specifically to Claims 1-5 and 21-25 in <J[ 3, 4, and 9 of the declaration and (2) implicitly in the 
remaining statements. Therefore, it is odd that the Office Action would assert that "the 
examiner cannot determine whether or not the reduced to practice invention is commensurate 
with the claims." Contraiy to this assertion in the Office Action, the Applicants have given "a 
clear explanation of the exhibits [in the declaration] pointing out exactly what facts are 
established and relied on by applicant." MPEP § 715.07. 

As stated above, the Patent Office is required to accept Rule 131 declarations at face 
value, without investigation. Based on the foregoing, it is respectfully submitted that the 
declaration and the accompanying exhibits are sufficient to prove a reduction to practice of the 
invention. Accordingly, reconsideration of the declaration is respectfully requested. 

B. CLAMS 6-20 AND 26-40 

Claims 6-20 and 26-40 stand rejected under 35 U.S.C. § 103(a) as allegedly being 
unpatentable over Hayman in view of Ayi. 

1. Claims 6 and 26 
Claims 6 and 26 recite: 

registering, with a database management system, one or more packages of routines, 
wherein each package of said one or more packages implements a security 
model that supports a model set of one or more policies of the database policy 
set and said each package includes an access mediation routine; 

associating a first policy of a first model set in a first package with a first table 
within the database system; and 
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invoking the access mediation routine in the first package for determining whether to 
allow operation on data in the first table based on the first policy, (emphasis 
added) 

Claims 6 and 26 require "registering, with a database management system . . . one or 
more packages of routines, wherein each package . . . implements a security model . . . and said 
each package includes an access mediation routine," and "invoking the access mediation 
routine [to determine] . . . whether to allow operation on data in the first table." This feature is 
not disclosed or suggested by Hayman. 

First, the Office Action alleges that the "applicant admits that registering one or more 

packages of routines are well known in the art" on page 17 of the Specification. This is plainly 

incorrect. The italicized sentence below is taken completely out of context. The applicable 

language from the Specification states: 

In step 212 a first security model package is registered with the security manager 
132 of the database server 130. In some embodiments, the database security 
administrator designs and develops the security model package. In some 
embodiments the security model package is provided by the developer of the 
security manager 132, or is provided by a third party vendor, so that a database 
administrator does not have to develop her own package. For example, a 
security model package 1 10 that supports a compartmented security model is 
provided by the developer of the security manager, and the database security 
administrator registers the package 110 with the database server 130. Any 
manner known in the art for registering the package at the time the package is 
registered can be used. For example, the database security administrator 
types in a name of the file containing the package in a dialog box of a 
graphical user interface for the security manager 132 of the database server 
130 (page 17, paragraph 57) (emphasis added). 

Clearly, what is meant by "any manner known in the art for registering the package at the time 

the package is registered can be used" is that the manner in which a package is identified for 

being registered is not important (e.g., dialog box of a GUI or DOS command). However, 

nothing in the Specification implies or suggests that previous database systems actually register 
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one or more packages of routines as claimed (i.e., wherein each package implements a security 
model and includes an access mediation routine). 

The Office Action also asserts that "Hayman teaches incorporate [ing] and installing] 
security software which inherently includes registering one or more packages of routines." The 
paragraphs cited by the Office Action in support of this assertion state that a "Session Monitor 
has been designed to be extensible, in the sense that the owner of the security system can 
incorporate their own software to change access mode of a user or administrator" (col. 8, line 
66 - col. 9, line 2). Thus, the Office Action equates the Session Monitor with a package of 
routines. 

The Session Monitor, however, "controls the manner in which a user or administrator 
initially gains access to the system, and the manner in which a user or administrator changes 
from their current mode of access to a different mode (for example, from user to 
administrator)" (col. 8, lines 55-60), whereas Claim 6 requires that a policy from a package of 
routines is associated with a table within the database system. There is no teaching or 
suggestion in Hayman that the Session Monitor, or any component thereof, is associated 
with a table within a database system. 

The Office Action also cites paragraphs in Hayman that describe a Reference Monitor 
for teaching the first step of Claim 6. "The Reference Monitor is the entity that mediates all 
requests for access to an object by a subject, and thus controls whether, and to what extent, the 
subject is granted access to the object" (col. 9, lines 56-59). However, the reference does not 
disclose that this may be registered so that it can be customized and implemented by the user. 
Indeed, it was described in a version of Data General's security system as being "tightly 
integrated with Data General's operating system" (col. 1, lines 26-28). This indicates that 
customization is not readily possible and that the Reference Monitor is actually an embedded 
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native software component of the security system, not a separate module that needs to be 
registered. Again, this is all in contradiction to the elements of Claims 6 and 26. 

The Office Action also alleges that Hayman col. 5, lines 18-60 teaches "associating a 
first policy of a first model set in a first package with" an object. To be clear, instead of an 
object, Claim 6 states that the first policy is associated with "a first table within the database 
system". The Office Action equates the "labels" described in the above cited portion of 
Hayman with the "first policy" of Claim 6. However, the "first policy" of Claim 6 is a policy of 
a model set in a package that is registered with a database management system. No where 
does Hayman teach or suggest in the above cited portion that a "label" is registered with a 
database management system. 

Because Hayman fails to teach or suggest that a "first policy" is part of a package that is 
associated with an object, much less a table, Hayman also fails to teach or suggest "invoking 
the access mediation routine in the first package for determining whether to allow operation on 
data. . .based on the first policy". 

Remember, regardless of the above cited deficiency in the Office Action, the first 
requirement of Claims 6 and 26 is "registering, with a database management system, one or 
more packages of routines. . . ." These packages of routines are separate from the label-based 
security policies which govern whether operations can be performed on particular data. This is 
significant because it allows the routines to be administered and customized separate from the 
label-based security policies. The Hayman reference does not discuss or teach that routines are 
registered with the database management system. Hayman does describe security labels in the 
form of a capability set that are assigned or placed on an object by the owner of the object. 
However, these labels cannot in any way be equated to the routines used to support the label- 
based security policies. 
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In sum, Hayman only discusses the use of security-based labels and not registered 
routines that may be, for example, customized to affect how those labels are used to determine 
proper access. The Hayman implementation uses non-registerable and native components of an 
application to implement the policies. 

Thus, because Hayman, alone or in combination with Ayi, does not teach, suggest, or 
render obvious Claims 6 and 26, it is respectfully submitted that Claims 6 and 26 are patentable 
over the combination of Hayman and Ayi. Reconsideration and allowance of Claims 6 and 26 
are respectfully requested. 

2. Dependent Claims 
The pending claims not discussed so far (Claims 7-20 and 25-40) are dependent claims 
that depend on an independent claim that is discussed above. Because each of the dependent 
claims includes the limitations of claims upon which they depend, the dependent claims are 
patentable for at least those reasons the claims upon which the dependent claims depend are 
patentable. Removal of the rejections with respect to the dependent claims and allowance of 
the dependent claims is respectfully requested. In addition, the dependent claims introduce 
additional limitations that independently render them patentable. Due to the fundamental 
difference already identified, a separate discussion of those limitations is not included at this 
time. 
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in. CONCLUSION 

For the reasons set forth above, it is respectfully submitted that all of the pending claims 
are now in condition for allowance. Therefore, the issuance of a formal Notice of Allowance is 
believed next in order, and that action is most earnestly solicited. 

The Examiner is respectfully requested to contact the undersigned by telephone if it is 
believed that such contact would further the examination of the present application. 

Please charge any shortages or credit any overages to Deposit Account No. 50-1302. 

Respectfully submitted, 

HICKMAN PALERMO TRUONG & BECKER LLP 

/DanielDLedesma#57 181/ 

Daniel D. Ledesma 
Reg. No. 57,181 

Date: August 14, 2007 

2055 Gateway Place, Suite 550 
San Jose, CA 95110 
Telephone: (408) 414-1229 
Facsimile: (408)414-1076 
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